Recipe Name:
Insecure Data Storage: Use SQLCipher Database (creation)
Description:
SQLite Databases are an insecure means of storage
Level:
warning
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
- SQL
- Android security set
Documentation
Android best practices and coding guidelines recommend that SQLCipher
should be preferred over SQLite databases.
SQLCipher
offers a fully-encrypted database. It is very easy to implement in your application as SQLCipher
offers their own implementation of the SQLite methods. A downside of SQLCipher
is a slight performance decrease, as well as the need to securely store the encryption key. Thus, SQLCipher
can be used if the key can be supplied by the user of the application (e.g., a pin or password), or if the key can be securely sent over the network to the application. Never store the encryption key in the application itself!
Recipe
id: scw:android:SQLCipher-creation version: 10 metadata: name: 'Insecure Data Storage: Use SQLCipher Database (creation)' shortDescription: SQLite Databases are an insecure means of storage level: warning language: java enabled: true comment: "" descriptionFile: descriptions/java_android_storage_encrypt_local_database_files_use_sqlcipher.html tags: security;framework specific;mobile;Android;SQL;Android security set search: methodcall: name: openOrCreateDatabase anyOf: - type: android.database.sqlite.SQLiteDatabase - type: android.app.Activity - type: android.content.ContextWrapper - type: android.content.Context scopes: library: name: contains: sqlcipher availableFixes: - name: Use a SQLCipher database actions: - rewrite: to: net.sqlcipher.database.SQLiteDatabase.openOrCreateDatabase(databaseFile, "secretKey", null)